Are Berkeley Packet Filter opcode values implementation defined?
I always thought of tcpdump/libpcap as authoritative in the BPF arena. I noticed that the linux kernel and tcpdump read BPF filters differently. The BPF mnemonics and behavior is the same, but the actual opcode values themselves seem different. I went looking on the internets for "The Standard", but everything I've found only has mnemonics.
No, other than instructions that some BPF interpreters/JITs support but others don't, they have the same binary values. Compare, for example, the current libpcap pcap/bpf.h with, at least, the Linux linux/bpf_common.h and linux/filter.h in the 3.19 kernel, and note the comment in linux/filter.h that reads:
/*
* Try and keep these values and structures similar to BSD, especially
* the BPF code definitions which need to match so you can share filters
*/
and the code in libpcap that uses the same compiler to generate BPF code for the Linux kernel, the *BSD/OS X/Solaris 11/etc. kernels, and the userland BPF interpreter, with only small code changes to deal with fetching packet metadata (rather than packet data).